Can somebody help me I am trying to make a health code I start out by searching a unknown 32bit equal value then I hurt myself pause the game and search not equal run the game wait till the red screen goes away and search a not equal then a equal and so on and so on I got down to 8 addresses all of the have the same values except one so I write/breakpoint and this is what it gives me:
I tried to nop stfs f0,400(r3) but that didn't seem to work any ideas thanks.
CR: 48000428 XER: 00000000 CTR: 00000000 DSIS: 02400000
DAR: 808BA790 SRR0: 80561DE0 SRR1: 0000B032 LR: 80561DC0
r0: 00000000 r1: 801C9A08 r2: 801C1300 r3: 808BA600
r4: 808BA600 r5: 00000000 r6: 00000000 r7: 00000008
r8: 80DF7084 r9: 000000C2 r10: 00000000 r11: 801C9A08
r12: 81107A18 r13: 801C02A0 r14: 935E0000 r15: 03534D00
r16: 8011A2E0 r17: 00000000 r18: 00000000 r19: 802BB000
r20: 802BA580 r21: 00000001 r22: 800E7040 r23: 800F1000
r24: 8011A180 r25: 00000001 r26: 00000001 r27: 00000000
r28: 00000001 r29: 00000007 r30: 808BA600 r31: 808BAE3C
f0: 3FAAAAAB f1: 4403C000 f2: 43C88000 f3: D0A10000
f4: D0A0C000 f5: 00000000 f6: 00000000 f7: 00000000
f8: 00000000 f9: 00000000 f10: 00000000 f11: 3F800000
f12: 3F800000 f13: 00000000 f14: 00000000 f15: 00000000
f16: 00000000 f17: 00000000 f18: 00000000 f19: 00000000
f20: 00000000 f21: 00000000 f22: 00000000 f23: 00000000
f24: 00000000 f25: 00000000 f26: 00000000 f27: 00000000
f28: 00000000 f29: BF800000 f30: 00000000 f31: 3F800000
80561DE0: D0030190 stfs f0,400(r3)
80561DE4: C01F0014 lfs f0,20(r31)
80561DE8: D0030194 stfs f0,404(r3)
80561DEC: C01F0000 lfs f0,0(r31)
80561DF0: D0030180 stfs f0,384(r3)
80561DF4: C01F0004 lfs f0,4(r31)
80561DF8: D0030184 stfs f0,388(r3)
80561DFC: C01F0008 lfs f0,8(r31)
80561E00: D0030188 stfs f0,392(r3)
80561E04: 807E0344 lwz r3,836(r30)
80561E08: 38030001 addi r0,r3,1
80561E0C: 901E0344 stw r0,836(r30)
80561E10: 3BBD0001 addi r29,r29,1
80561E14: 281D0008 cmplwi r29,8
80561E18: 3BFF003C addi r31,r31,60
80561E1C: 4180FF9C blt+ 0x80561db8
80561E20: 3C60808C lis r3,-32628
80561E24: 8003AE88 lwz r0,-20856(r3)
80561E28: 20000001 subfic r0,r0,1
80561E2C: 9003AE88 stw r0,-20856(r3)
80561E30: 83E1001C lwz r31,28(r1)
80561E34: 83C10018 lwz r30,24(r1)
80561E38: 83A10014 lwz r29,20(r1)
80561E3C: 80010024 lwz r0,36(r1)
80561E40: 7C0803A6 mtlr r0
80561E44: 38210020 addi r1,r1,32
80561E48: 4E800020 blr
80561E4C: 9421FFD0 stwu r1,-48(r1)
80561E50: 7C0802A6 mflr r0
80561E54: 90010034 stw r0,52(r1)
80561E58: 39610030 addi r11,r1,48
80561E5C: 4BACCC2D bl 0x8002ea88
80561E60: 7C7E1B78 mr r30,r3
80561E64: 3F20808C lis r25,-32628
80561E68: 38799E00 subi r3,r25,25088
80561E6C: 38800000 li r4,0
80561E70: 38A00800 li r5,2048
80561E74: 4BAA24DD bl 0x80004350
80561E78: 3BE00000 li r31,0
80561E7C: 3BA00000 li r29,0
Try but doing a 32-Bit Unknown Search on equal. Each time you get hit do a Less than search.
If you die and start on a new life do one greater than search, then continue with the less than searches til you have less then 10 results
I tried that but it didn't work I just came up with 3 codes but when I go to mem veiw they are constantly counting down by one whether I get hit or not. Any other ideas to try and find my health?
The game most likely doesn't use a float for health, if it did it's probably for the percentage of a health bar it needs to throw up on the display.
How does health work in the game? Did anything happen at all when you nop'd? When you set the breakpoint, did it pause only when you got hit? When you watch it in Memory Viewer with auto-update, does it behave like you might expect health to behave, staying the same until you get hit and then decreasing?
It looks like there's supposed to be a lfs f0,something before it. TIP: whenever pasting a disassembly, it's important to show some instructions *before* the instruction you're breaking on, so we can see what's happening. In fact, what's happening before an instruction is probably more important than what happens after.
You might be able to find out who wrote to f0. Unfortunately, according to http://babbage.cs.qc.edu/IEEE-754/32bit.html (http://babbage.cs.qc.edu/IEEE-754/32bit.html) f0 holds "1.333" so that's probably not health...
When I watch in mem view when I get hit it goes down then back up just like health does. When I write/breakpoint it froze when I got hit I will post the lines before tonight.
Hey guys sorry for the late reply here is 10 lines up thanks.
80561DB8: 7FE3FB78 mr r3,r31
80561DBC: 4BFFFF75 bl 0x80561d30
80561DC0: 2C30000 cmpwi r3,0
80561DC4: 4182004C beq- 0x80561e10
80561DC8: 801E0344 lwz r0,836(r30)
80561DCC: 1C000018 mulli r0,r0,24
80561DD0: 7C7E0214 add r3,r30,r0
80561DD4: C01F000C lfs f0,12(r31)
80561DD8: D003018C stfs f0,396(r3)
80561DDC: C01F0010 lfs f0,16(r31)
80561DE0: D0030190 stfs f0,400(r3)
80561DE4: C01F0014 lfs f0,20(r31)
80561DE8: D0030194 stfs f0,404(r3)
80561DEC: C01F0000 lfs f0,0(r31)
80561DF0: D0030180 stfs f0,384(r3)
80561DF4: C01F0004 lfs f0,4(r31)
80561DF8: D0030184 stfs f0,388(r3)
80561DFC: C01F0008 lfs f0,8(r31)
80561E00: D0030188 stfs f0,392(r3)
80561E04: 807E0344 lwz r3,836(r30)
80561E08: 38030001 addi r0,r3,1
80561E0C: 901E0344 stw r0,836(r30)
80561E10: 3BBD0001 addi r29,r29,1
80561E14: 281D0008 cmplwi r29,8
80561E18: 3BFF003C addi r31,r31,60
80561E1C: 4180FF9C blt+ 0x80561db8
Is this enough info or do you guys need more?
It looks like the code you found is copying a bunch of floats around for 8 different objects.
r31 points to an object in an array. A copy of the pointer gets passed to that bl through r3. The bl returns the result of...some function...in r3. (in general, r3 is used to give things to a bl, and it is also used to get things back from a bl). If that result was 0, it moves on to the next object.
80561DB8: 7FE3FB78 mr r3,r31
80561DBC: 4BFFFF75 bl 0x80561d30
80561DC0: 2C30000 cmpwi r3,0
80561DC4: 4182004C beq- 0x80561e10
...snip...
80561E10: 3BBD0001 addi r29,r29,1
80561E14: 281D0008 cmplwi r29,8
80561E18: 3BFF003C addi r31,r31,60
80561E1C: 4180FF9C blt+ 0x80561db8
r29 is used to count through 8 objects for processing. Each object takes up 0x3C bytes in memory. If r29 is less than 8, we still have more objects to go, so add 0x3C to r31 and branch back to the top (where we put r31 into r3 and bl'd).
Inside the snipped bit, it's calculating a pointer and copying a bunch of floats from the current r31 to the calculated pointer.
This doesn't really sound very much like health processing code. Set an execute breakpoint right after the beq- and if the breakpoint gets hit when the player isn't losing health then you don't have health code. If that breakpoint only gets hit when someone takes damage, then r31 should hold a pointer to health-related values.
Unfortunately, it's not modifying the values, but merely copying them from one to the other. Sometimes you have to chase variables down in memory until you find the source that's adding or subing health.
Ok I researched the values and I came up with 8 codes again and they all start at 00000064 but when I get hit it slowly goes down when I die it is FFFFFFF8 so here is the write/breakpoint for the second one it was the only one I saw that had sub in it.
804FD1AC: 801E016C lwz r0,364(r30)
804FD1A8: 900397A4 stw r0,-26716(r3)
804FD1A4: 801E0168 lwz r0,360(r30)
804FD1A0: 900397A0 stw r0,-26720(r3)
804FD19C: 801E0164 lwz r0,356(r30)
804FD198: 9003979C stw r0,-26724(r3)
804FD194: 801E0160 lwz r0,352(r30)
804FD190: 90039798 stw r0,-26728(r3)
804FD18C: 90839794 stw r4,-26732(r3)
804FD188: 801E015C lwz r0,348(r30)
804FD1B0: 900397A8 stw r0,-26712(r3)
804FD1B4: 809E0170 lwz r4,368(r30)
804FD1B8: 801E0174 lwz r0,372(r30)
804FD1BC: 908397AC stw r4,-26708(r3)
804FD1C0: 900397B0 stw r0,-26704(r3)
804FD1C4: 809E0178 lwz r4,376(r30)
804FD1C8: 801E017C lwz r0,380(r30)
804FD1CC: 908397B4 stw r4,-26700(r3)
804FD1D0: 900397B8 stw r0,-26696(r3)
804FD1D4: 801E0180 lwz r0,384(r30)
804FD1D8: 900397BC stw r0,-26692(r3)
804FD1DC: 38A397BE subi r5,r3,26690
804FD1E0: 389E0182 addi r4,r30,386
804FD1E4: 38000020 li r0,32
804FD1E8: 7C0903A6 mtctr r0
804FD1EC: A0640002 lhz r3,2(r4)
CR : 44000488 XER : 20000000 CTR : 00000000 DSIS: 02400000
DAR : 80A3AB88 SRR0: 804FD1B0 SRR1: 0000B032 LR : 804FCEE0
r0 : 00000000 r1 : 801C9808 r2 : 801C1300 r3 : 80A413E0
r4 : 41F00000 r5 : 00000038 r6 : 00000008 r7 : FFFFFFFE
r8 : 801C9877 r9 : 00000000 r10 : 00000000 r11 : 00000000
r12 : 00000000 r13 : 801C02A0 r14 : 935E0000 r15 : 03534D00
r16 : 8011A2E0 r17 : 00000000 r18 : 00000000 r19 : 802BB000
r20 : 802BA580 r21 : 00000001 r22 : 800E7040 r23 : 00000000
r24 : 81426420 r25 : 00000CCB r26 : 00000000 r27 : 80A213E0
r28 : 8066DEA0 r29 : 80605C68 r30 : 80A2DF08 r31 : 808719F0
f0 : 42700000 f1 : 00000000 f2 : 43360B61 f3 : 41BF791F
f4 : 00000000 f5 : BEA53531 f6 : 3E4D7339 f7 : 3E2AAAAA
f8 : BEA6B090 f9 : 3E4E0AA8 f10 : BD24054A f11 : 373FB235
f12 : 3C6C5B52 f13 : 36D6B77A f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 00000000
f28 : 00000000 f29 : BF800000 f30 : 00000000 f31 : 3F800000
That subi isn't touching health, it's adjusting a pointer.
Well what the heck am I doing wrong. Ok let me do some more searching but thanks.
Did you try mem2 yet?
No I haven't really touched mem2 what is the range for that?
Search the forums for some posts on mem2. According to http://wiibrew.org/wiki/Memory_Map (http://wiibrew.org/wiki/Memory_Map) it's 0x90000000 to 0x93FFFFFF, but some of that is used by IOS and I don't think you can touch that.
If you're using WiiRDGUI, on the code search tab, under "Memory Range" you should see an "80" - that's mem1. Change that drop-down box to "90" and you'll be searching mem2. It should automatically set the correct bounds.
Warning: mem2 is about 2 times bigger than mem1, so it takes a lot longer to search...
Thank you I will try it tonight. :)
Ok I searched mem 2 but there was nothing there my health value in this game is 0x64 and when I get it it goes back up so I searched a unknown 32bit value then I throw a grenade to get hurt then searched for a less than wait till my health goes back up then searched for a greater than and so on but again I always come up with 8 addresses. They all are 0x64 value and when I look in mem view they all do the same. I tried to make a gct code for each, codetype 04 and 0x00 for the value and applied each at different times but they don't work, is there something I am doing wrong?
And what would be the best way to upload screenshots on here I used my snipping tool but it won't let me upload it, it says it is not writable?
If your using snippet tool do save as jpeg. and you can uploading to tinypic.com and post the url link
Here are the addresses:
(http://i42.tinypic.com/s3k4kx.png)
And this is what it looks like in mem view
(http://i39.tinypic.com/2ynmlj9.png)
The value that is highlighted does not change at all the other one how ever does go down when I get hurt then goes back up so I guess I don't know what I am doing wrong. Can somebody give me any suggestions thanks.
Did you try modding both 80A2157F & 80A21587
Ya I tried 00000000 on both but nothing happen this is what it looks like when I get hurt:
(http://i44.tinypic.com/ir6hko.jpg)
I circled the health that went down when I got hurt then the other address did not change but I also circled the 7F that goes up when I get hurt. So do you have any idea why I can't get anywhere on this code?
RJAE52=Call of Duty Modern Warfare Reflex(NTSC)
there might be something elts your missing .. Example ..
yes this section is moving .. but the Hex value might just be the middle man ..
try looking for 100 in float .. u can do this in wiird by putting 100 and right clicking on the box u shoudl get 42C80000
u could try and BPW on the address thats changing .. and try to follow it back to find out where its getting its information from as well .
Normaly u should see something like lwz or something and it should be loading to the regester that your BP address is writing ..
make sure your checking both the 80 and 90 section u can run into fake values that are just being read from the other .
7F might be damage taken
Ok here is the disassembler with 10 lines above:
CR : 28000488 XER : 00000000 CTR : 000016AD DSIS: 02400000
DAR : 80B5BF88 SRR0: 804F3900 SRR1: 0000B032 LR : 804F36E8
r0 : 00000064 r1 : 801C98D8 r2 : 801C1300 r3 : 00000000
r4 : 80ADE7CC r5 : 80B5BF84 r6 : 80B5BE0C r7 : 00000001
r8 : 00000E53 r9 : 00000001 r10 : 801C98D8 r11 : 801C98C8
r12 : 00000018 r13 : 801C02A0 r14 : 935E0000 r15 : 03534D00
r16 : 8011A2E0 r17 : 00000000 r18 : 00000000 r19 : 802BB000
r20 : 802BA580 r21 : 00000001 r22 : 800E7040 r23 : 800F1000
r24 : 8011A180 r25 : 00000000 r26 : 80B50704 r27 : 80860000
r28 : 808597E8 r29 : 801C9900 r30 : 80AB505C r31 : 80ADE644
f0 : 00000000 f1 : 509C2E9A f2 : 00000000 f3 : 00000000
f4 : 00000000 f5 : 00000000 f6 : 00000000 f7 : 00000000
f8 : 00000000 f9 : 00000000 f10 : 00000000 f11 : 00000000
f12 : 3CBE8600 f13 : 3D2B71E0 f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 00000000
f28 : 00000000 f29 : BF800000 f30 : 00000000 f31 : 3F800000
804F38D8: 801F001C lwz r0,28(r31)
804F38DC: 9003B2C4 stw r0,-19772(r3)
804F38E0: 801F0020 lwz r0,32(r31)
804F38E4: 9003B2C8 stw r0,-19768(r3)
804F38E8: 38A60018 addi r5,r6,24
804F38EC: 389F0020 addi r4,r31,32
804F38F0: 380016D9 li r0,5849
804F38F4: 7C0903A6 mtctr r0
804F38FC: 80640004 lwz r3,4(r4)
804F38FC: 84040008 lwzu r0,8(r4)
804F3900: 90650004 stw r3,4(r5)
804F3904: 94050008 stwu r0,8(r5)
804F3908: 4200FFF0 bdnz+ 0x804f38f8
804F390C: 3C9F0001 addis r4,r31,1
804F3910: 8004B6EC lwz r0,-18708(r4)
804F3914: 3C660001 addis r3,r6,1
804F3918: 9003B6E4 stw r0,-18716(r3)
804F391C: 8004B6F0 lwz r0,-18704(r4)
804F3920: 9003B6E8 stw r0,-18712(r3)
804F3924: 8004B6F4 lwz r0,-18700(r4)
804F3928: 9003B6EC stw r0,-18708(r3)
804F392C: 8004B6F8 lwz r0,-18696(r4)
804F3930: 9003B6F0 stw r0,-18704(r3)
804F3934: 8004B6FC lwz r0,-18692(r4)
804F3938: 9003B6F4 stw r0,-18700(r3)
804F393C: 8004B700 lwz r0,-18688(r4)
And this is what it looks like on the BP screen I have highlighted the register that has the 64 value that goes down when I get it:
(http://i39.tinypic.com/29c5g1d.png)
I really don't know what I am doing wrong, if anybody has any suggestions I would really appreciate it thanks.
804F38F8: 80640004 lwz r3,4(r4)
804F38FC: 84040008 lwzu r0,8(r4)
Check them offsets . on regeter R4 since they seem to be whats holding the value befor its placed there ..
r4 : 80ADE7CC
this might be the area that u need ..
He was at the wrong value, the correct value for HP is:81536A50 and it is 00000064 when full hp, nop the stw writing to it (loacation:803B58BC) and.... infinite HP
Code:
Infinite HP [Matt123337]
043B58BC 60000000
Althoght thiere is one issue...
(http://www.freeimagehosting.net/uploads/4e6c54cc88.jpg)
But not a big deal
u should Brake on the address your noping .
im betting its tied to more then just your HP that be why that issue u are having is there
lol it's not, it's a side effect of having 20 grenades blowing up around you :p
Quote from: matt123337 on April 07, 2010, 03:12:34 AM
lol it's not, it's a side effect of having 20 grenades blowing up around you :p
lol . intresting